Linux/Bash0day alias Shellshock alias Bashdoor

Forum for analysis and discussion about malware.

Re: Malware collection

Postby ikolor » Fri Apr 08, 2016 5:36 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 188
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Postby unixfreaxjp » Fri Apr 08, 2016 10:08 pm

Bashdoor or GayFgt, in crypted mode.
https://www.virustotal.com/en/file/b911 ... 460150975/
CNC in Ecatel 93.174.95.55:80
Image
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Malware collection

Postby benkow_ » Sat Apr 09, 2016 3:05 pm


GAYFGT
Code: Select all
89.248.162.146:179
(null)
buf: %s
/bin/sh
/proc/cpuinfo
BOGOMIPS
PING
:>%$#
%d.%d.%d.%d
%d.%d.%d.0
Failed opening raw socket.
Failed setting raw headers mode.
Invalid flag "%s"
GETLOCALIP
My IP: %s
HOLD
JUNK
KILLATTK
Killed %d.
None Killed.
LOLNOGTFO
8.8.8.8
/proc/net/route
   00000000   
[cpuset]
fork failed
FAILED TO CONNECT
PONG
%s 2>&1
LINK CLOSED
/dev/null
CAk[S
GCC: (GNU) 4.1.2
benkow_
 
Posts: 67
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Postby unixfreaxjp » Tue Apr 12, 2016 3:39 am

Playing around with this new sample posting.php?mode=reply&f=16&t=3505#pr28248 to find they just obfuscate the strings in the ELF. It's a pure standard torlus inside, encoded/string obfuscated, w/stripped and no intel x86 samples ..which is fine for all of us 8-)

To all good folks who battle this threat: This version point of differences for memo: 1. the forks was run before decrypt, 2. syscall stripped but all are torlus' ones . 3. Some hint: Aiming the args which they never can hide. 4. Put them back together& you'll see torlus/lizkebab/gayfgt code as per it is. 5. Noted it is a different obfuscation method to what they did to ELF STD bot that was previously spotted.

"Try harder kids!"
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Postby unixfreaxjp » Sat Apr 30, 2016 9:05 am

Some insights of this malware is posted as additional here:
http://blog.malwaremustdie.org/2016/02/ ... tml#gayfgt
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Postby unixfreaxjp » Mon May 02, 2016 3:45 pm

Another GayFgt "BadLuckJosh" (BLJ) an obfuscated modification in some function name and strings.
Made a video on how to dissect it easier.
The reference for this particular "encrypted" type is here.
Sadly the plan works to fool AV products who doesn't aware of this version exists, make more sigs guys!
Image
You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Malware collection

Postby ikolor » Thu May 05, 2016 4:14 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 188
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby unixfreaxjp » Thu May 05, 2016 9:55 pm


Hello.
Poked by @Xylit0l, I checked your sample the powerpc one.
It is what young collective group of punk hacktivists (read:skiddos) who loves to ddos call it: Torlus or LizKebab or LizKaboob or Lizard Botnet or GayFgt (the coder loves using these words)
good guys call it as: bashdoor, bashlite or GafGyt or similar.
The malware family is in linux section: viewtopic.php?f=16&t=3505
Firstly raising attention at the shellshock 0day.

Your particular sample is aiming for busybox router
Image

And issuing spread/distribution effort via execution of tftp (busybox router command)

The CNC is in 89.248.162.167:121 < to be blocked.
And if you find this sample is on the infected routers (not honeypot or some crook related sites) the nearby segment which is having busybox running on telnet would be firstly to be checked too. Just make sure they don't run the user/login names(red color) and passwords (purple color) as per described in the picture above.

But the download center (spread script center likely) is in different IP address 93.174.95.38 downloading/exec that {meow*} binaries replacing busybox for the infection to then deleting them.
Image

GeoLocation for the infectors is from the knownn NL shitty networks:
Code: Select all
89.248.162.167|no-reverse-dns-configured.com.|29073 | 89.248.160.0/21 | QUASINETWORKS | NL | ecatel.net | Ecatel LTD
93.174.95.38||29073 | 93.174.88.0/21 | QUASINETWORKS | NL | ecatel.net | Ecatel LTD

The actor is known in some forum, for this specifics, as a part of thisthreat family.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Malware collection

Postby unixfreaxjp » Fri May 06, 2016 1:56 am

ref: viewtopic.php?f=16&t=3966&start=60#p28247

This is actually an interesting sample, unusual build. I have two reasons for it:
(1) This is the lizkebab/torlus/gayfgt personal version basis..not so many are using it since not many skiddos owning this type, (2) in this ELF case the actor trimmed the telnet scanner brute credential data (assuming to disable it) , below is the code snippet:
Image
One should see the db array of text of the root account, login strings and password strings before the NULL if exists. These data to be grabbed & use by the telnet scanner function.

The detection of the "personal version" I recognized it since I categorize samples of torlus/gayfgt found in the wild and check them case by case. Below is the diassembly data of this sample "b4e9af8e5fd11c94b68b7d13a75945af" on the main part which is showing the type of the client.c code was used.
Image

So this version works as backdoor with ddos functios. The reason for telnet scanner is disabled maybe to avoid some IDS alarm on telnet scanning.

Judging by the network used as CNC, the actor "could be" the same as this case viewtopic.php?f=16&t=3966&p=28461#p28460 is one of the crooks mentioned in [url=blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.]here[/url]
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Malware collection

Postby ikolor » Sat May 07, 2016 9:36 am

I'm not too much familiar with analyze malware code .But I had scan my system on port 23 from this IP 93.174.93.50
ikolor
 
Posts: 188
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests